[TAP5-1442] XSS vulnerability in calendar component - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 5.2.4
Fix Version/s: 5.3
Component/s: tapestry-core
Labels:
None

Description

All the XSS Vulnerabiliy (described here : https://issues.apache.org/jira/browse/TAP5-1057) is not solved.

When we use a Software like Paros, we can change the value of Ajax Request parameters.

We can run javascript code.

I did a patch this morning. I just added the escapeHTML function in both of the errorHandler methods.

Emmanuel

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

datefield_js.patch
11/Mar/11 10:47
0.9 kB
Emmanuel DEMEY
datefield_5_2_4_xss_fix.js
14/Feb/11 12:48
4 kB
Emmanuel DEMEY

Activity

People

Assignee:: Howard Lewis Ship

Reporter:: Emmanuel DEMEY

Votes:: 6 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Feb/11 12:47

Updated:: 19/Oct/11 17:38

Resolved:: 19/Oct/11 16:55